Merge "Make federated domain configurable"
This commit is contained in:
commit
e37c8ae632
|
@ -511,6 +511,15 @@ FILE_OPTIONS = {
|
|||
'Identity Provider from the environment (e.g. if '
|
||||
'using the mod_shib plugin this value is '
|
||||
'`Shib-Identity-Provider`).'),
|
||||
cfg.StrOpt('federated_domain_name', default='Federated',
|
||||
help='A domain name that is reserved to allow federated '
|
||||
'ephemeral users to have a domain concept. Note that '
|
||||
'an admin will not be able to create a domain with '
|
||||
'this name or update an existing domain to this '
|
||||
'name. You are not advised to change this value '
|
||||
'unless you really have to. Changing this option '
|
||||
'to empty string or None will not have any impact and '
|
||||
'default name will be used.'),
|
||||
],
|
||||
'policy': [
|
||||
cfg.StrOpt('driver',
|
||||
|
|
|
@ -67,9 +67,6 @@ class Manager(manager.Manager):
|
|||
assignment_driver = dependency.REGISTRY['assignment_api'].driver
|
||||
resource_driver = assignment_driver.default_resource_driver()
|
||||
|
||||
self.federated_domain_reserved = (
|
||||
federation.FEDERATED_DOMAIN_KEYWORD.lower())
|
||||
|
||||
super(Manager, self).__init__(resource_driver)
|
||||
|
||||
def _get_hierarchy_depth(self, parents_list):
|
||||
|
@ -127,20 +124,26 @@ class Manager(manager.Manager):
|
|||
raise AssertionError(_('Domain is disabled: %s') % domain_id)
|
||||
|
||||
def assert_domain_not_federated(self, domain_id, domain):
|
||||
"""Assert the Domain's name and id are not "Federated".
|
||||
"""Assert the Domain's name and id do not match the resevered keyword.
|
||||
|
||||
Note that the reserved keyword 'Federated' is case insensitive
|
||||
Note that the reserved keyword is defined in the configuration file,
|
||||
by default, it is 'Federated', it is also case insensitive.
|
||||
If config's option is empty the default hardcoded value 'Federated'
|
||||
will be used.
|
||||
|
||||
:raise AssertionError if domain named match the value in the config.
|
||||
|
||||
:raise AssertionError if domain named "Federated".
|
||||
"""
|
||||
|
||||
if domain.get('name') is not None:
|
||||
if domain['name'].lower() == self.federated_domain_reserved:
|
||||
raise AssertionError(_('Domain cannot be named Federated: %s')
|
||||
% domain_id)
|
||||
if domain_id.lower() == self.federated_domain_reserved:
|
||||
raise AssertionError(_('Domain cannot have ID Federated: %s')
|
||||
% domain_id)
|
||||
# NOTE(marek-denis): We cannot create this attribute in the __init__ as
|
||||
# config values are always initialized to default value.
|
||||
federated_domain = (CONF.federation.federated_domain_name or
|
||||
federation.FEDERATED_DOMAIN_KEYWORD).lower()
|
||||
if (domain.get('name') and domain['name'].lower() == federated_domain):
|
||||
raise AssertionError(_('Domain cannot be named %s')
|
||||
% federated_domain)
|
||||
if (domain_id.lower() == federated_domain):
|
||||
raise AssertionError(_('Domain cannot have ID %s')
|
||||
% federated_domain)
|
||||
|
||||
def assert_project_enabled(self, project_id, project=None):
|
||||
"""Assert the project is enabled and its associated domain is enabled.
|
||||
|
|
|
@ -501,6 +501,62 @@ class AssignmentTestCase(test_v3.RestfulTestCase):
|
|||
exception.DomainNotFound, self.assignment_api.delete_domain,
|
||||
domain['id'])
|
||||
|
||||
def test_forbid_operations_on_defined_federated_domain(self):
|
||||
"""Make sure one cannot operate on a user-defined federated domain.
|
||||
|
||||
This includes operations like create, update, delete.
|
||||
|
||||
"""
|
||||
|
||||
non_default_name = 'beta_federated_domain'
|
||||
self.config_fixture.config(group='federation',
|
||||
federated_domain_name=non_default_name)
|
||||
domain = self.new_domain_ref()
|
||||
domain['name'] = non_default_name
|
||||
self.assertRaises(AssertionError,
|
||||
self.assignment_api.create_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.assignment_api.delete_domain,
|
||||
domain['id'])
|
||||
self.assertRaises(AssertionError,
|
||||
self.assignment_api.update_domain,
|
||||
domain['id'], domain)
|
||||
|
||||
def test_set_federated_domain_when_config_empty(self):
|
||||
"""Make sure we are operable even if config value is not properly
|
||||
set.
|
||||
|
||||
This includes operations like create, update, delete.
|
||||
|
||||
"""
|
||||
federated_name = 'Federated'
|
||||
self.config_fixture.config(group='federation',
|
||||
federated_domain_name='')
|
||||
domain = self.new_domain_ref()
|
||||
domain['id'] = federated_name
|
||||
self.assertRaises(AssertionError,
|
||||
self.assignment_api.create_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.assignment_api.delete_domain,
|
||||
domain['id'])
|
||||
self.assertRaises(AssertionError,
|
||||
self.assignment_api.update_domain,
|
||||
domain['id'], domain)
|
||||
|
||||
# swap id with name
|
||||
domain['id'], domain['name'] = domain['name'], domain['id']
|
||||
self.assertRaises(AssertionError,
|
||||
self.assignment_api.create_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.assignment_api.delete_domain,
|
||||
domain['id'])
|
||||
self.assertRaises(AssertionError,
|
||||
self.assignment_api.update_domain,
|
||||
domain['id'], domain)
|
||||
|
||||
# Project CRUD tests
|
||||
|
||||
def test_list_projects(self):
|
||||
|
|
|
@ -463,6 +463,11 @@ class BaseProvider(provider.Provider):
|
|||
return token_id, token_data
|
||||
|
||||
def _handle_mapped_tokens(self, auth_context, project_id, domain_id):
|
||||
def get_federated_domain():
|
||||
return (CONF.federation.federated_domain_name or
|
||||
federation.FEDERATED_DOMAIN_KEYWORD)
|
||||
|
||||
federated_domain = get_federated_domain()
|
||||
user_id = auth_context['user_id']
|
||||
group_ids = auth_context['group_ids']
|
||||
idp = auth_context[federation.IDENTITY_PROVIDER]
|
||||
|
@ -476,8 +481,8 @@ class BaseProvider(provider.Provider):
|
|||
'protocol': {'id': protocol}
|
||||
},
|
||||
'domain': {
|
||||
'id': federation.FEDERATED_DOMAIN_KEYWORD,
|
||||
'name': federation.FEDERATED_DOMAIN_KEYWORD
|
||||
'id': federated_domain,
|
||||
'name': federated_domain
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue